Approving the Updates

After updates have been synchronized to your WSUS server, they will be scanned automatically for relevance to the server's client computers. However, you must approve the updates manually before they are deployed to the computers on your network. When you approve an update, you are essentially telling WSUS what to do with it (your choices are Install or Decline for a new update). You can approve updates for the All Computers group or for subgroups. If you do not approve an update, its approval status remains Not approved, and your WSUS server allows clients to evaluate whether or not they need the update.

If your WSUS server is running in replica mode, you will not be able to approve updates on your WSUS server. For more information about replica mode, see Running WSUS 3.0 in Replica Mode.

You can approve the installation of updates for all the computers in your WSUS network or for different computer groups. After approving an update, you can do one (or more) of the following:

Apply this approval to child groups, if any.

Set a deadline for automatic installation. When you select this option, you set specific times and dates to install updates, overriding any settings on the client computers. In addition, you can specify a past date for the deadline if you want to approve an update immediately (to be installed the next time client computers contact the WSUS server).

Remove an installed update if that update supports removal.

Important

You cannot set a deadline for automatic installation for an update if user input is required (for example, specifying a setting relevant to the update). To determine whether an update will require user input, look at the May request user input field in the update properties for an update displayed on the Updates page. Also check for a message in the Approve Updates box that says, "The selected update requires user input and does not support an installation deadline."

Important

If there are updates to the WSUS server component, you cannot approve other updates to client systems until the WSUS update is approved. You will see this warning message in the Approve Updates dialog box: "There are WSUS updates that have not been approved. You should approve the WSUS updates before approving this update." In this case, you should click the WSUS Updates node and make sure that all of the updates in that view have been approved before returning to the general updates.

Right-click the selection and click Approve. The Approve Updates dialog box opens with the Approval status set to Keep existing approvals and the OK button disabled .

You can change the approvals for the individual groups, but doing so will not affect child approvals. Select the group for which you want to change the approval, and click the arrow to its left. In the shortcut menu, click Approved for Install.

The approval for the selected group changes to Install. If there are any child groups, their approval remains Keep existing approval. To change the approval for the child groups, click the group and click the arrow to its left. In the shortcut menu, click Apply to Children

To set a specific child to inherit all its approval from the parent, click the child and click the arrow to its left. In the shortcut menu, click Same as Parent. If you set a child to inherit approvals, but are not changing the parent approvals, the child will inherit the existing approvals of the parent.

If you want the approval behavior to change for all children, approve All Computers, and then choose Apply to Children.

Click OK after setting all your approvals. The Approval Progress window will display the progress toward completing the approval. When the process is complete, the Close button will be available. Click Close.

If you select this option, the update is removed from the default list of available updates and the WSUS server will not offer the update to clients, either for evaluation or installation. You can reach this option by selecting an update or group of updates and right-clicking or going to the Actions pane. Declined updates will appear in the updates list only if you select Declined in the Approval list when specifying the filter for the update list under View.

If an update has been approved and you decide not to install it at this time but want to save it for a future time, you can unapprove the update. This means that the update will remain in the default list of available updates and will report client compliance, but will not be installed on clients.

You can approve an update for removal (that is, to uninstall an already-installed update). This option is available only if the update is already installed and supports removal. You can specify a deadline for the update to be uninstalled, or specify a past date for the deadline if you want to remove the update immediately (the next time client computers contact the WSUS server).

Note

Not all updates support removal. You can see whether an update supports removal by selecting an individual update and looking at the Details pane. Under Additional Details, you will see the Removable category. If the update cannot be removed through WSUS, in many cases it can be removed with Add or Remove Programs from Control Panel.

In the list of updates, select one or more updates that you want to approve for removal and right-click them (or go to the Actions pane).

In the Approve Updates dialog box, select the computer group from which you want to remove the update, and click the arrow next to it.

Select Approved for Removal, and then click the Remove button.

After the remove approval has completed, you may select a deadline by right-clicking the update once more, selecting the appropriate computer group, and clicking the arrow next to it. Then select Deadline.

You may select one of the standard deadlines (one week, two weeks, one month), or you may click Custom to select a specific date and time.

If you want an update to be removed as soon as the client computers contact the server, click Custom, and set a date in the past.

You can configure your WSUS server for automatic approval of certain updates. You can also specify automatic approval of revisions to existing updates as they become available. This option is selected by default. A revision is a version of an update that has had changes made to it (for example, it might have expired, or its applicability rules might have changed). If you do not choose to approve the revised version of an update automatically, WSUS will use the older version, and you must manually approve the update revision.

You can create a rule that your WSUS server will automatically apply during synchronization. You specify what updates you want to automatically approve for installation, by update classification and by computer group. This applies only to new updates, as opposed to revised updates. This setting is available in the Options pane, under Automatic Approvals.

In the WSUS administration console, click Options, and then click Automatic Approvals.

In Update Rules, click New Rule.

In the Add Rule dialog box, under Step 1: Select properties, select whether to use update classifications or products (or both) as criteria.

In Step 2: Edit the properties, click the underlined properties to select the values for which you want automatic approvals.

In Step 3: Specify a name, give a name to the rule.

Click OK.

Note

Automatic approval rules will not apply to updates requiring an End User License Agreement (EULA) that has not yet been accepted on the server. If you find that applying an automatic approval rule does not cause all the relevant updates to be approved, you should approve these updates manually.

The Automatic Approvals section of the Options pane contains a default option to automatically approve revisions to approved updates. You can also set your WSUS server to automatically decline expired updates. If you choose not to approve the revised version of an update automatically, your WSUS server will use the older revision, and you must manually approve the update revision.

Note

A revision is a version of an update that has changed (for example, it might have expired or have updated applicability rules).

In the WSUS administration console, click Options, and then click Automatic Approvals.

On the Advanced tab, make sure that both Automatically approve new revisions of approved updates and Automatically decline updates when a new revision causes them to expire check boxes are selected.

Click OK.

Important

Keeping the default values for these options allows you maintain good performance on your WSUS network. If you do not wish expired updates to be declined automatically, you should make sure to decline them manually on a periodic basis.

Typically, an update that supersedes other updates does one or more of the following:

Enhances, improves, or adds to the fix provided by one or more previously released updates.

Improves the efficiency of its update file package, which is installed on client computers if the update is approved for installation. For example, the superseded update might contain files that are no longer relevant to the fix or to the operating systems now supported by the new update, so those files are not included in the superseding update's file package.

Updates newer versions of operating systems. It is also important to note that the superseding update might not support earlier versions of operating systems.

Conversely, an update that is superseded by another update does the following:

Fixes a problem similar to that of the update that supersedes it. However, the update that supersedes it might enhance the fix that the superseded update provides.

Updates earlier versions of operating systems. In some cases, these versions of operating systems are no longer updated by the superseding update.

In an individual update's detail pane, an informational icon and a message at the top indicates that it either supersedes or is superseded by another update. In addition, you can determine which updates supersede or are superseded by the update by looking at the Updates superseding this update and Updates superseded by this update entries in the Additional Details section of the Properties. An update's detail pane is displayed below the list of updates.

WSUS does not automatically decline superseded updates, and it is recommended that you do not assume that superseded updates should be declined in favor of the new, superseding update. Before declining a superseded update, make sure that it is no longer needed by any of your client computers. The following are examples of scenarios in which you might need to install a superseded update:

If a superseding update supports only newer versions of an operating system, and some of your client computers run earlier versions of the operating system.

If a superseding update has more restricted applicability than the update it supersedes, which would make it inappropriate for some client computers.

If an update no longer supersedes a previously released update because of new changes. It is possible that through changes at each release, an update no longer supersedes an update it previously superseded in an earlier version. In this scenario, you will still see a message about the superseded update, even though the update that supersedes it has been replaced by an update that does not.

Because a superseding update typically enhances a fix provided by a previously released update, it is recommended that you first see how many client computers will be compliant with the new update and work backward from there. Use the following process.

Check the status of the update on client computers. Note which computers show status as Not applicable for the update, and then compare the properties of those computers with the properties of the update.

Use the information available in the update properties to help you determine which previously released versions are available. You can look under Updates superseded by this update in the update's properties, and check the Description and KB article number entries if appropriate.

Look at the properties of the superseded versions of the updates.

When you find a superseded update that seems appropriate for the remaining client computers, approve the update for installation.